Gawker Source Code and Databases Compromised

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

So much for offloading infrastructure outside.

[sethstorm]

Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.

Goodwill?

[Cyberllama]

I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .

Further Lessons

[alvinrod]

Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator [mailinator.com] or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.

I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.

Re:Goodwill?

[LighterShadeOfBlack]

He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.

Re:Encrypted? Hashed?

[sglider]

This has all happened before [codinghorror.com], and it will all happen again.

Hashed passwords provide a degree of protection, so long as you salt the hash, and store a different salt for each password (for maximum protection [codinghorror.com]).

Any programmer that doesn't understand salts, hashing, and encrypting should not bother making software that handles logins, period.

Re:The torrent file...

[Anonymous Coward]

So I can check if my address and password were included so I know whether to go round changing them everywhere...

Re:Children suck

[causality]

We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.

This is the major problem with the internet - we let children on it.

Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.

There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...

People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.

There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.

Posts like this one [slashdot.org] are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.

That's not the most insecure part

[The Moof]

I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...

Re:Children suck

[Anonymous Coward]

I didn't say minors. I said "children."

I chose that word carefully.

Your points are all very correct, of course. I am just screaming to an apathetic universe.

Re:The torrent file...

[alvinrod]

A lesson in how trivial it is for anyone to get your email address and other information when you provide it to third parties who may become compromised. I hope it gets voted to +5 just so it sinks in for a few people and they aren't so careless with their personal information in the future.

Gawker honestly shouldn't even store the emails. If someone loses a password they can just make a new account. I don't want to sound mean, but if you can't be a good example you might as well serve as a horrible warning.

Re:Children suck

[causality]

I didn't say minors. I said "children."

I chose that word carefully.

Your points are all very correct, of course. I am just screaming to an apathetic universe.

Point taken. In fact the biggest single reason why I am concerned about the long-term well-being of the USA is that most of its "adults" are petty, indulgent, overgrown children with short memories. In that spirit I can see why you had good reason to choose that word as you did.

I maintain that the more adult thing to do is to overcome such events by learning their lesson, rather than indulging in the "blame game" and making it into a 5-minute hate. Not only is that the constructive solution, it also limits the damage of this intrusion to computer systems only. The anger and hatred merely serves the intruder(s) by extending the damage into the personal realm of your own well-being.

EasyDNS

[Tridus]

It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.

http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php [villagevoice.com]

Re:So much for offloading infrastructure outside.

[jhoegl]

Not 100% sure why this is OT, but okay.

I can tell you for certain that some companies that are Outsourced do not follow the same security standards that we do. Even if they say they do.
Bad part? These companies have access to our finances and/or medical records. Outsourcing tech jobs to India was bad enough, think about outsourcing to communist run countries... where they dont give a shit about privacy.

Re:So much for offloading infrastructure outside.

[Anonymous Coward]

Not entirely sure why communism means privacy is ignored. America seems fairly hell bent on removing the expectation of privacy itself.

Re:Throwaway Email

[plover]

You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot [bugmenot.com], savior of the net.

Bugmenot unfortunately lost their courage a few years ago when they changed the way they function. I suspect they were threatened by a lawsuit. Now, any domain or site owner can request that bugmenot exclude their site from participating, and I've found that so many of the popular ones do that it's lost all practical value for me.

I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did. I usually don't. For more "durable" sites where I'm likely to participate over a longer time, I'll create a unique sneakemail [sneakemail.com] address and keep them around forever. When something like the Gizmodo breach happens I simply flag them as spam, and they plonk all the email from them for me. I've had to do that a couple of times now. I find their service is well worth the $24/year.

Re:So much for offloading infrastructure outside.

[cgenman]

I'm vaguely surprised that companies aren't held legally liable if their outsourcing companies don't adhere to certain security standards. It shouldn't be any different if a company you outsource to in India or a division of your company in Idaho leave your clients information unsecured.